!Outbound interface configuration
interface GigabitEthernet0/0
description go_to_internet
ip address 192.168.5.1 255.255.255.252 (the actual IP address may refer to Public IP address)
ip nat outside
ip access-group 110 in
no cdp enable
no shut
exit
!filter private-ip as source
!prevent "spoofing" attack
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!deny special-use address sources
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
!permit the rest
access-list 110 permit ip any any
Notes
- If your network have multiple used/standby public IP addresses.
- You might want to BLOCK all that addresses.
- Because someone can claim they coming from that IP addresses.
No comments:
Post a Comment